cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1075
Views
5
Helpful
4
Replies

MPLS-Branch to Branch connectivity

hclisschennai
Level 1
Level 1

Dear All,

I have Head office and Branch offices connected using MPLS VPN. It is not fully meshed, It is Hub & Spoke Topology

Now I am able communicate between branch offices and Headoffices.

But I want communication between Branch offices thru Head office (Not direct connection between Branch offices). I want to configure ACLS in Headoffice CE Router to block/allow some traffic between branchoffices.

I am aware that in Point-point Hub & spoke topology, it is possible. But in MPLS how it has to be done. The reason for raising this point is, When Traffic is destined from Branch-1 CE Router to Branch-2 CE Router, it get routed in

PE-3 Router itself and not via Head Office CE Router.

Then how to achieve this. Please help

RBK

1 Accepted Solution

Accepted Solutions

It won't because the traffic is MPLS switched up to the CE.

The PE will have a CEF entry with an outgoing interface associated to the VPN label so there is not lookup in the VRF routing table.

HTH

Laurent.

View solution in original post

4 Replies 4

hclisschennai
Level 1
Level 1

Hi,

I missed the Network sketch in previous post. Please refer the attached network diagram

RBK

Hi RBK,

To deploy a HUb&Spoke VPN, you need two different RTs. One (RT1) will be used by PE-3 to export the Hub prefixes and an aggregate route of spoke prefixes (or a default-route).

The other RT (RT2) will be used by the remote PE to export the spoke prefixes.

So your PE configuration should look like:

PE-3:

ip vrf customer

import RT2

export RT1

!

PE-1 and PE-2:

ip vrf customer

import RT1

export RT2

!

PE-1 and PE-2 import routes only exported by PE-3

This way, all your spoke-to-spoke traffic will go through your HUB CE.

If you have several spokes connected to the same PE, you will need one VRF per spoke to avoid local switching.

HTH

Laurent.

Hi Laurent,

Your reply is helpful to understand the logic. I appreciate

But still i am not clear in a basic concept. That is, If the traffic is sent from BRANCH-1 CE destined to BRANCH-2 CE, wont it routed in PE-3 itself bypassing HEAD OFFICE CE?.

RBK

It won't because the traffic is MPLS switched up to the CE.

The PE will have a CEF entry with an outgoing interface associated to the VPN label so there is not lookup in the VRF routing table.

HTH

Laurent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco